File name:

SETUP.exe

Full analysis: https://app.any.run/tasks/3f73da96-29a6-435b-b563-a3c1d77e4e43
Verdict: Malicious activity
Analysis date: February 03, 2024, 15:33:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5:

EC6A6A7431C9A8E9BB88C03027B358D1

SHA1:

3D6598DA95AE6AE732A68CF0F3A7E0F1ABECEC0E

SHA256:

A93F018F6157CA6636B7B0F783A9D42F404D2F66BD9FE455712CF07AD7E2272A

SSDEEP:

98304:oNOG/IdR86YzIuQsJ22ki7XrZNlJ+uLrh4EksRU9TUAgGATg8mM6CGyCajLHEdSL:aFBd+n+d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SETUP.exe (PID: 2628)
      • Setup.exe (PID: 2088)
      • IKernel.exe (PID: 3248)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SETUP.exe (PID: 2628)
      • Setup.exe (PID: 2088)
      • IKernel.exe (PID: 3248)

    • Application launched itself

      • IKernel.exe (PID: 3248)

  • INFO

    • Checks supported languages

      • SETUP.exe (PID: 2628)
      • IKernel.exe (PID: 1072)
      • Setup.exe (PID: 2088)
      • IKernel.exe (PID: 3096)
      • IKernel.exe (PID: 3248)

    • Create files in a temporary directory

      • SETUP.exe (PID: 2628)
      • IKernel.exe (PID: 3248)

    • Reads the computer name

      • Setup.exe (PID: 2088)
      • IKernel.exe (PID: 1072)
      • IKernel.exe (PID: 3096)
      • IKernel.exe (PID: 3248)

    • Creates files in the program directory

      • Setup.exe (PID: 2088)
      • IKernel.exe (PID: 3248)

    • Reads Environment values

      • IKernel.exe (PID: 3248)

    • Reads the machine GUID from the registry

      • IKernel.exe (PID: 3248)
      • Setup.exe (PID: 2088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2000:06:16 20:00:04+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 69632
InitializedDataSize: 98304
UninitializedDataSize: -
EntryPoint: 0x84a7
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.11.15.0
ProductVersionNumber: 2.11.15.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Tiny_0213
CompanyName: General
FileDescription: TNC0402.2003.04.02
FileVersion: 1.00.000
InternalName: stub32i.exe
LegalCopyright: -
OriginalFileName: stub32i.exe
ProductName: MyDSC
ProductVersion: 1.00.000
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start setup.exe setup.exe ikernel.exe no specs ikernel.exe ikernel.exe no specs setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Users\admin\AppData\Local\Temp\SETUP.exe" C:\Users\admin\AppData\Local\Temp\SETUP.exeexplorer.exe
User:
admin
Company:
General
Integrity Level:
MEDIUM
Description:
TNC0402.2003.04.02
Exit code:
3221226540
Version:
1.00.000
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
1072"C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe" -RegServerC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exeSetup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1190
Modules
Images
c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2088"C:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\Setup.exe"C:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\Setup.exe
SETUP.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Launcher
Exit code:
0
Version:
6, 20, 100, 1362
Modules
Images
c:\users\admin\appdata\local\temp\pft353f~tmp\disk1\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2628"C:\Users\admin\AppData\Local\Temp\SETUP.exe" C:\Users\admin\AppData\Local\Temp\SETUP.exe
explorer.exe
User:
admin
Company:
General
Integrity Level:
HIGH
Description:
TNC0402.2003.04.02
Exit code:
0
Version:
1.00.000
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3096"C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVERC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exeIKernel.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1190
Modules
Images
c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3248C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -EmbeddingC:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
svchost.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield (R) Setup Engine
Exit code:
0
Version:
6, 31, 100, 1190
Modules
Images
c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
394
Read events
388
Write events
6
Delete events
0

Modification events

(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\ctor.dll
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\IScript\iscript.dll
Value:
1
(PID) Process:(3248) IKernel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
Value:
1
Executable files
20
Suspicious files
12
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\Setup.inxbinary
MD5:EBCF82227081D751F473E7C27445A9CF
SHA256:901CD123808483A2B22E2328CEE3BE7CF065482ED5C4B6C9745E4EFE6578CE6F
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\pftw1.pkgcompressed
MD5:90365C4341FDA04FF6FA92AB506B7B0E
SHA256:2DA0E80B7C839A84E56C1A43CDA7434DD5F13F5D1C0FB0C78C29DE6852747795
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\Setup.exeexecutable
MD5:02A229BA8498F49336B37AE4B3A775F1
SHA256:278D71D67E7EDFAF2F6773C51A6D9DB9627278C47D0BED4709762FB9F0DC7351
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\plf351E.tmptext
MD5:19A2283172165182D05BBD5745372F62
SHA256:379ADDFC2E4A0309EC0526507D564FC79EEB6635963C0E84F10CB8B103036C54
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\data1.hdrbinary
MD5:A95C06F6C593D4F8A1DBA0DF84A00FB8
SHA256:1BA70BF2F92D6FB2EE63AA9FFD571708A48F1660A1F30F91913D24511D85A817
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\data1.cabcompressed
MD5:0AF6574032E96B724AFDC8527C1D84C3
SHA256:43B5B41ABF20B989C41F2CDB44F4DE130D2ED867ABA40F469CC85EA17E71CF49
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\Setup.initext
MD5:A848571EF69C8820FEC66E4AFAC27DDC
SHA256:FDC054E2653560EA9FE7941CDE407A52398DCDC5AC0B37EA131C4406A52E0C7B
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\data2.cabcompressed
MD5:C37915BE02D0F7D78489FFD0FDD83B2D
SHA256:812CBE3F843D701E8010640BEF588E18031DC67D253E2D6D58225B7658797955
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\pft353F~tmp\Disk1\layout.binbinary
MD5:928AECBA357045D61DA3E57976ABFD97
SHA256:794636658F16E377F6272ED7995DAF5710725683BFA7DDD5E0654B3E2FD8FCDF
2628SETUP.exeC:\Users\admin\AppData\Local\Temp\ext351F.tmptext
MD5:19A2283172165182D05BBD5745372F62
SHA256:379ADDFC2E4A0309EC0526507D564FC79EEB6635963C0E84F10CB8B103036C54
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SETUP.exe